Adding tasks to a Microsoft Sentinel incident via REST API

Introduction The new ability to add tasks to an incident in Microsoft Sentinel is one of the best new features IMHO. It takes one big step forward in being able to completely handle the complete incident investigation within Microsoft Sentinel. As of right now, you can either run an automation rule or use the Microsoft […]

Getting ALL the Microsoft Sentinel rule templates

Introduction I recently had someone tell me that code I had written a while ago to allow the user to automatically update rules from rule templates didn’t get all the rule templates. After mumbling some comments under my breath that I should not mention here, I decided to take a look. First of all, I […]

Extract Microsoft Sentinel MITRE information to CSV file – Part III

Introduction Some exciting news! I have updated the “Export-AzSentinelMITREToCSV.ps1” file so that the individual rules can be saved to the CSV file instead of just the counts. This can be found in my GitHub repo here An older version of this can be found in the official Microsoft Sentinel GitHub repo located here. I am […]

Two different ways to add data to Microsoft Sentinel using REST APIs

Introduction While the title of this blog post says it is about how to add data to Microsoft Sentinel, technically the APIs we will discuss will write to Azure Monitor. However, the data will be readable by Microsoft Sentinel, so it is close enough 🙂 Microsoft Sentinel, through its extensive list of built-in data connectors, […]

Use an analytic rule’s description for remediation steps

Introduction I am sure you know that each Analytic rule in Microsoft Sentinel has a “Description field, and its contents get copied into the incident that this rule creates. I am sure you are also aware that some of the problems with newer security analysts are not knowing what steps to take to resolve an […]

Automatically apply updates to Analytic rules that have “Update Available”

Introduction Edit: It appears that I forgot to put the actual link to the code. You can get it here If you do not keep up to date with the analytic rules, you may find yourself in the scenario where there are a lot of rules that have updates that can be applied. If you […]

Extract Microsoft Sentinel MITRE information to CSV file – Part II

Introduction In my last blog post (Extract Microsoft Sentinel MITRE information to CSV file – Yet Another Security Blog ( I went over a PowerShell script that will extract the information from the MITRE ATT&CK page in Microsoft Sentinel. In this post I am expanding on that script with two new parameters ShowZeroSimulatedRuleTemplates ShowAllSimulatedRuleTemplates This […]